Vous êtes sur la page 1sur 15

McAfee Host Data Loss Prevention

Best Practices: Protecting against data


loss from external devices

COPYRIGHT
Copyright 2009 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FLASHBOX, FOUNDSTONE, GROUPSHIELD, HERCULES, INTRUSHIELD, INTRUSION INTELLIGENCE,
LINUXSHIELD, MANAGED MAIL PROTECTION, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, MCAFEE.COM, NETSHIELD,
PORTALSHIELD, PREVENTSYS, PROTECTION-IN-DEPTH STRATEGY, PROTECTIONPILOT, SECURE MESSAGING SERVICE, SECURITYALLIANCE,
SITEADVISOR, THREATSCAN, TOTAL PROTECTION, VIREX, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc.
and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other
registered and unregistered trademarks herein are the sole property of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEB SITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
License Attributions
Refer to the product Release Notes.

McAfee Host Data Loss Prevention software

Contents
Protecting against data loss from removable devices and file systems. . . . . . . . . . . . . . 4
Device control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Content protection rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Use case: Blocking wireless communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Use case: Making all USB removable storage read-only except authorized devices. . . . . . . . . . . . . . 10
Use case: Blocking files containing personal identity information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Use case: Blocking files created by a GIS application. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Use case: Disabling all CD/DVD burners from writing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

McAfee Host Data Loss Prevention software

Protecting against data loss from removable


devices and file systems
The purpose of this document is to provide a brief overview of ways to protect against data
loss and to walk you through several use cases and best practices for data loss protection.
Contents
Device control
Content protection rules
Examples

Device control
McAfee Host Data Loss Prevention software protects enterprises from the risk associated with
unauthorized transfer of data from within or outside the organization. Data loss is defined as
confidential or private information leaving the enterprise as a result of unauthorized
communication through channels such as applications, physical devices, or network protocols.
Memory sticks are the smallest, easiest, cheapest, and least-traceable method of downloading
large amounts of data, which is why they are often considered the "weapon of choice" for
unauthorized data transfer. McAfee Device Control allows monitoring and controlling external
device behavior based on the device attributes rather than the content being copied. Using
McAfee Device Control, devices attached to enterprise computers, such as smart phones,
removable storage devices, Bluetooth devices, MP3 players, or Plug and Play devices, can be
monitored, blocked, or configured to be read-only.
There are two types of device control rules available in McAfee Device Control:
Plug and Play device rules
Removable storage device rules
Plug and Play device rules
Plug and Play device rules work on the device driver level, and can be used to block and monitor
devices. Whenever a new device is plugged into the computer, McAfee Device Control will match
the new device attributes against the device attributes defined in the Plug and Play device rule.
If a match is found, McAfee Device Control will perform the action (block/monitor/notify user)
defined by the device rule. Plug and Play device rules are used to restrict the use of peripheral
devices such as Bluetooth adapters and modems. Although Plug and Play device rules can also
be applied to removable storage devices, McAfee does not recommend using them for such
devices.
Pros and cons of Plug and Play device rules

Pros:

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Device control

Allow for blocking any type of device.


Block devices at a very low level, before the driver has a chance to load.
Allow for easy blocking of entire device classes and bus types (such as "block all USB").

Cons:
The device blocking is based only on the device attributes and does not inspect content.
Can only block or monitor. Cannot make a device read only.
Recommended use cases:
Block all Bluetooth adapters and modems
The enterprise wants to restrict end users from using Bluetooth and modem communication
to transfer data.
Block all Wireless communication
The enterprise wants to restrict end users from using wireless communication while connected
to the corporate network. See Use case: Blocking wireless communication.
Removable storage device rules
Removable storage device rules are used for blocking and monitoring removable storage devices
such as flash drives, MP3 players, and external hard drives. They can block, monitor, or configure
the removable storage to read-only. Whenever a new removable storage device is plugged into
the computer, McAfee Device Control will match the new device attributes against the device
attributes defined in the removable storage device rule. If a match is found McAfee Device
Control will perform the action defined by the device rule.
Removable storage device rules work on the file system level, and allow for more flexibility than
Plug and Play device rules. For example, the removable storage device rule can match a device
based on its file system type (NTFS, FAT32) or file system volume label. In addition, they provide
more accurate device names. For example an iPod is recognized by the Plug and Play mechanism
as USB mass storage device, whereas the removable storage rule recognizes it as Apple iPod,
which is more meaningful. (This description fits older iPods. The iPod Touch is recognized as a
Windows Image Acquisition device.)
McAfee recommends using removable storage device rules, rather than Plug and Play device
rules, to control all devices that provide removable storage, such as USB mass storage devices,
Flash Drives ("Disk on Key"), and CD\DVD.
NOTE: Since Plug and Play device rules are applied on the device driver level, they are applied
before removable storage device rules. The implication is that if a removable storage device is
blocked by both types of rule, the removable storage device rule will not be applied.
Pros and cons of removable storage device rules

Pros:
Allow read-only mode for removable storage devices.
Allow for greater flexibility for device matching (file system type, volume label).

Cons:
The device blocking is based only on the device attributes and does not inspect content.
Recommended use cases:
Make all USB removable storage read-only except authorized devices.
An enterprise has purchased a specific brand of encrypted flash drive and would like to
restrict the use of any other flash drive. See Use case: Making all USB removable storage
read-only except authorized devices.

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Content protection rules

Disable all CD/DVD burners from writing.


The enterprise wants to restrict engineering end users from using CD/DVD burners to write
CDs. McAfee Device Control is not able to analyze the content written to CD/DVD therefore
removable storage device rules should be used. See Use case: Disabling all CD/DVD burners
from writing.

Content protection rules


Unlike device control functionality that blocks the entire device, content protection rules protect
individual files based on their content. When a file is copied to a network shared folder or a
removable storage device McAfee Host Data Loss Prevention performs deep content analysis
to classify the content, and performs one (or more) of the following actions:
Block Moves the file to the local quarantine folder and deletes its content from the
removable storage. This action is not available for network shared folders.
Monitor Sends an incident event to the Host DLP ( in version 3.0, the ePolicy Orchestrator)
database for monitoring and case management.
Store Evidence Stores the original file that was copied so it can be viewed in the Host
DLP Monitor.
Notify user Shows a popup to the end-user as notification of the action that was
performed.
Encrypt Encrypts the file using McAfee Endpoint Encryption. This action is available in
McAfee Host Data Loss Prevention software version 3.0.
Removable storage protection rules
Removable storage protection rules allow for blocking and monitoring of individual files being
written to removable devices according to file attributes and their content classification. When
a file is copied to a removable storage device, the Host DLP Agent inspects, analyzes, and
classifies the file content, and if the file classification matches one or more of the removable
storage protection rules, the agent will apply the action defined in the rule.
Host DLP provides several content classification techniques, including:
Regular expression matching
Keyword
Application that created or edited the file
Current storage location
Where the file is being copied to.
McAfee recommends using removable storage protection rules whenever an enterprise allows
use of removable storage devices, but wants to restrict (or monitor) the data that is written to
them.
Pros and cons of removable storage protection rules

Pros:
Allow blocking individual files according to their content and attributes, rather than block
the entire device.

Cons:
McAfee Host Data Loss Prevention software uses CPU resources to analyze every file copied
to removable media.

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Content protection rules

Recommended use cases:


Block copying of files containing personal identity information (PII).
There are many forms of PII: Social Security Number (SSN), driver's license number, National
Identification Number, and so on. McAfee Host Data Loss Prevention contains pre-defined
regular expression patterns (Secured Text Patterns) that can be used to create these rules.
See Use case: Blocking files containing personal identity information.
NOTE: McAfee Host Data Loss Prevention software version 3.0 introduces regular expression
validators to reduce false positives.
Blocking copying of files created by a Geographic Information System (GIS) application to
removable storage.
Certain applications create files that contain binary information that cannot be content
inspected. McAfee Host Data Loss Prevention software provides a unique technology to
classify content based on the application that creates or edits the file. See Use case: Blocking
files created by a GIS application.
By creating application-based tagging rules the Host DLP Agent can tag any file that is
created by a GIS application. This tag can then be used in removable storage protection
rules to block or monitor copying of GIS files to removable storage.
Network file system protection rules
Network file system protection rules are very similar to removable storage protection rules, but
they apply to the Windows network file system (shared folders) rather than devices. They
support monitoring files copied to a defined Windows share, but it do not support blocking the
copy operation.
McAfee Host Data Loss Prevention software version 3.0 introduces the ability to encrypt files
that are copied to the network, to enforce compartmentalization policies, using McAfee Endpoint
Encryption.
Recommended use cases:
Monitor all files containing credit card numbers being copied to public folders on a file server.
Many organizations provide public folders for file sharing on the network. Reckless users
can copy sensitive files to these folders. Using McAfee Host Data Loss Prevention you can
create a network file system protection rule to Monitor, Notify User, and Store Evidence for
every file that contains sensitive information, such as credit card numbers, when copied to
the public folder on the network. Ideally, such files should also be encrypted.
Compartmentalization (available in McAfee Host Data Loss Prevention software version 3.0
using McAfee Endpoint Encryption integration)
Assume your organization has an engineering group, a finance group, and a sales group.
You can use the McAfee Host Data Loss Prevention software version 3.0 and McAfee Endpoint
Encryption integration to generate three encryption keys FINANCE_KEY,
ENGINEERING_KEY and SALES_KEY. Each key is available only to members of that group
to unlock files. Using these keys in network file system protection rules can ensure that
every sensitive file that is copied to a network shared folder will be properly encrypted, and
visible only to authorized users.

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Examples

Examples
The following examples demonstrate the techniques discussed in the text.
Examples
Use case: Blocking wireless communication
Use case: Making all USB removable storage read-only except authorized devices
Use case: Blocking files containing personal identity information
Use case: Blocking files created by a GIS application
Use case: Disabling all CD/DVD burners from writing

Use case: Blocking wireless communication


Assume an organization wants to restrict end users from using wireless communication while
connected to the corporate network. With McAfee Device Control it is possible to define a policy
that differentiates between users who are online (connected to the corporate network) and
those who are offline. The following example shows how to block wireless adapters while a
user is connected to the corporate network.
Example

In the Navigation Bar under Device Management, select Device Definitions.

Right-click in the device definitions panel, and click Add New | Plug and Play Device
Definition. Type Wireless Network Adapters to rename, and press Enter.

Double-click the device definition to edit it. Select Device Class, then select Network
Adapters and click OK.

Select Device Name. The definition parameter edit dialog box appears.

Click Add New and type wireless into the text box. Select the Allow Partial Match option.

Click Add New and type wlan into the text box. Select the Allow Partial Match option.

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Examples

Click Add New and type 802.11 into the text box. Select the Allow Partial Match option.
Click OK twice to complete the definition.

In the Navigation Bar under Device Management, select Device Rules.

Right-click in the device definitions panel, and click Add New | Plug and Play Device
Rule. Type Block wireless network adapters when online to rename, and press Enter.

10 Double-click to edit the rule. Select Wireless Network Adapters in the Include column.
Click Next.
11 Select Block, Monitor, and Notify User.

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Examples

12 For each action, deselect the Offline option. Click Finish.

Use case: Making all USB removable storage read-only except


authorized devices
Assume an organization that purchased a specific brand of encrypted flash drives and would
like to restrict the use of all other flash drives.
Example

10

In the Navigation Bar under Device Management, select Device Definitions.

Right-click in the device definitions panel, and click Add New | Removable Storage
Device Definition. Type USB Removable Storage to rename, and press Enter.

Double-click the device definition to edit it. Select Bus Type, select USB and click OK.

Right-click in the device definitions panel again, and click Add New | Removable Storage
Device Definition. Type McAfee Encrypted USB Devices to rename, and press Enter.

Double-click the device definition to edit it. Select Bus Type, select USB Vendor
ID/Product ID and click Add New. The definition paramete edit dialog box appears.

Click Add New to add each of the following devices:


Vendor ID

Product ID

Description

1A4B

022A

McAfee Standard Encrypted USB

1A4B

3220

McAfee Standard Driverless


Encrypted USB

1A4B

3200

McAfee Zero-Footprint Bio

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Examples

Vendor ID

Product ID

Description

1A4B

3500

McAfee Zero-Footprint Non-Bio

1A4B

3400

McAfee Encrypted USB Hard Disk

TIP: Use the mouse to select the Product ID and Description text boxes.
7

In the Navigation Bar under Device Management, select Device Rules.

Right-click in the device definitions panel, and click Add New | Removable Storage
Device Rule. Type Block all USB except McAfee to rename, and press Enter.

Double-click to edit the rule. Select USB Removable Storage in the Include column,
and select McAfee Encrypted USB Devices in the Exclude column. Click Next.

10 Select Monitor, Notify User and Read Only. Click Finish.

Use case: Blocking files containing personal identity information


The following example shows how to create a content-based tagging rule that will tag any file
containing a social security number, and how to create a removable storage protection rule
that will prevent copying these files to removable storage.
Example
1

In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rules
panel, click Add New | Content Based Tagging Rule, and type SSN Tagging Rule to
rename the rule.

McAfee Host Data Loss Prevention software

11

Protecting against data loss from removable devices and file systems
Examples

12

Double-click the rule to edit it. From the pre-defined list of secured text patterns, check
Social Security Number. Click Next.

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Examples

On the tags page, click Add New, type SSN Tag in the Name text box, click OK, then
Finish.

In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, click
Add New | Removable Storage Protection Rule, and rename it Block PII copied to
removable storage.

Double-click the rule to open the wizard. You can skip all of the steps except the following:
a On the tags page, select the SSN tag created in step 4.
b On the actions page, select Block, Monitor, Notify User, and Store Evidence.

Use case: Blocking files created by a GIS application


The following example shows how to create an application-based tagging rule that will tag any
file that is created or edited by a Geographic Information System (GIS) application, and how
to create a removable storage protection rule that will prevent copying GIS files to removable
storage.
Example
1

In the Navigation Bar under Applications, select Enterprise Applications List.

Right-click in the application list panel, and click Add. Browse to the GIS application
executable, then click Open. Note the exact executable name. You will need it in the next
step. Click Add, then Close.

In the Navigation Bar under Applications, select Application Groups. Right-click in the
panel, and click Add New | Application Group. Type GIS Applications in the Name text
box and press Enter.

McAfee Host Data Loss Prevention software

13

Protecting against data loss from removable devices and file systems
Examples

Double-click the GIS Applications group. Browse to the name of the vendor and select
it. Click the plus sign next to the name to view the details. If there are other products by
the same vendor you don't want to include in the rule, deselect them.

In the Navigation Bar under Rules, select Tagging Rules. Right-click in the tagging rules
panel, click Add New | Application Based Tagging Rule, and type GIS Tagging Rule to
rename the rule.

Double-click the rule, select GIS Applications, then click Next.

(Optional) Click Select from list, select Graphic files, then click Next three times to
reach the Tags page.

Click Add New, name the tag GIS Tag, click OK, then Finish.

In the Navigation Bar under Rules, select Reaction Rules. Right-click in the panel, click
Add New | Removable Storage Protection Rule, and rename it Block GIS files copied
to removable storage.

10 Double-click the rule to open the wizard. You can skip all of the steps except the following:
a On the tags page, select the GIS Tag created in step 6.
b On the actions page, select Block, Monitor, Notify User, and Store Evidence.

Use case: Disabling all CD/DVD burners from writing


Assume an organization wants to restrict engineering end users from using CD/DVD burners
to write CDs. McAfee Host Data Loss Prevention is not able to analyze the content written to
CD/DVD, therefore removable storage device rules should be used.
Limitation: The following CD/DVD burners are not protected in McAfee Host Data Loss
Prevention v2.2:

14

McAfee Host Data Loss Prevention software

Protecting against data loss from removable devices and file systems
Examples

Alcohol 120%
Iomega Hotburn
Example
1

In the Navigation Bar under Device Management, select Device Definitions.

Right-click in the device definitions panel, and click Add New | Removable Storage
Device Definition. Type CD/DVD Devices to rename, and press Enter.

Double-click the device definition to edit it. Select CD/DVD Drives and click OK to close
the definition dialog.

In the Navigation Bar under Device Management, select Device Rules.

Right-click in the device definitions panel, and click Add New | Removable Storage
Device Rule. Type Block all CD-R burning to rename, and press Enter.

Double-click to edit the rule. Select CD/DVD Devices in the Include column. Click Next.

Select Notify User and Read Only. Click Finish.

McAfee Host Data Loss Prevention software

15

Vous aimerez peut-être aussi